On Thu, Feb 23, 2012 at 4:59 PM, Mark Knecht <markkne...@gmail.com> wrote: > What is it about my systems wherein every one of these https links > case my systems to barf with a "This Connection is Untrusted" message. > If I remove the 's' then things work fine.
https encompasses two basic functions: encryption and trust. In this case the hostname in the SSL certificate installed on that server does not match the hostname in the URL, so it does not trust it. If they matched, it would then check to see if it was expired. If it was not expired, it would then check to see if it was signed by a CA that you trust (browsers come with a set of trusted CAs already). If it was self-signed or signed by an untrusted CA (like DigiNotar...) you'd get a warning as well. If literally every https link is untrusted, maybe you have an issue with the installation of certificates on your system, or have chosen not to trust any CAs. Commercial websites, banks, stores, etc. should always have valid and trusted certificates. In OSS world, most people don't have the need or money to pay for a certificate when all they're really interested in is encrypting the connection. There are also servers that are listening for https connections but aren't advertised as such... the mozilla website is probably one of those. Using plug-ins like HTTPS-everywhere will try to use https even on sites that don't use it by default. In all of those cases above, if you allowed the connection it would still be SSL encrypted. You'd be protected against packet sniffers but not against man-in-the-middle attack. By switching to http your session occurs in plain-text and is vulnerable to both attacks.
